The SonicWALL Threats Research team observed reports of a new variant family of Floki [GAV:Floki.A] actively spreading
in the wild.

The Floki bot is a banking Trojan based on Zeus that has been sold on cybercrime underground.

This time attackers implemented new feature such as DLL Injection into Explorer.exe to avoid detection by Anti-Virus programs.

Infection Cycle:

The Malware adds the following files to the system:

Malware.exe

%Userprofile%\Application Data\ nyob\ubezral.exe

The Trojan adds the following Startup key to the Windows registry to ensure persistence upon reboot:

%Userprofile%\Start Menu\Programs\Startup\ubezral.lnk

Once the computer is compromised, the malware copies its own executable file to %Userprofile%\Local Settings\Application Data\ folder
With
Random name and then injects Explorer.exe to collects information from target system.

Here is an example of the Malware injection:

Command and Control (C&C) Traffic

The Malwareperforms C&C communication over 80 ports. The malware contains features such as memory scrapping functions like popular
Point-of-Sale Trojan BlackPOS and since now it's Christmas time, the best period for cyber criminals that attempt to steal credit card
data.

The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: